[HN Gopher] Towards native security defenses for the web ecosystem ___________________________________________________________________ Towards native security defenses for the web ecosystem Author : edmorley Score : 18 points Date : 2020-07-22 21:04 UTC (1 hours ago) (HTM) web link (security.googleblog.com) (TXT) w3m dump (security.googleblog.com) | techntoke wrote: | If they would just use a container sandbox and | AppArmor/Seccomp/etc we wouldn't be stuck on this JavaScript | monster we've created that still allows companies to spy on every | mouse movement and track you around the web by default, but now | requires 100s of unvetted JavaScript modules and dependencies for | a framework to do the most simple tasks that should be included | by default in HTML. | The_rationalist wrote: | If they used such a sandboxing technology, could they bring | true support for other programming languages than js? | (webassembly has no seamless support of browser APIs and no | seamless js interop) I strongly think that bringing graalVM | polyglotism to browsers is one of the biggest breakthroughs | awaiting browsers this century! It would bring the pleasure and | expressiveness of modern programming languages, bring more | performance and bring an insanely big advantages, order of | magnitude too big for our homo sapiens brains to realize: bring | the other programming ecosystems such as the Java one, as such | bring hundreds of billions of dollars of existing human | resources AKA the best open source libraries in the world, | solving any niche problem at will. | techntoke wrote: | Yes, not only would it allow support for other programming | languages but it would be orders of magnitude faster than | JavaScript. I agree with pretty much everything you said. | ohazi wrote: | I'm conflicted. | | On the one hand, this looks _way_ too complicated, and I predict | web devs are going to be confused and getting this stuff subtly | wrong for the next decade or more. CORS was bad enough, but this | looks worse. | | On the other hand, processors are completely broken and I | genuinely don't see a better alternative. | arkadiyt wrote: | It doesn't seem so bad to me. Fetch Metadata will be handled by | your framework of choice (Rails, Django, etc) & COOP is a | single header that can be deployed by the security team in your | app or at the edge. TrustedTypes are the only thing that will | really cause developer headache I think. ___________________________________________________________________ (page generated 2020-07-22 23:00 UTC)